MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095
SHA3-384 hash: 4651168e142cd0d9421b7fd3518c04ae9a27c2d3efdbea56d251d17bf8b9ce264def97fcf7e970322bf5efcbb1af3b61
SHA1 hash: 37cb6175888164e47c5225d6229958f6b7a96232
MD5 hash: 2512ee77a40f49585af39ac2e107b9e6
humanhash: neptune-queen-king-charlie
File name:CICU3023855.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'353'728 bytes
First seen:2023-02-07 08:01:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:dqr25FnodFJbRETEK8zukx+WBA0skDmO/Q79xiZNkjDfijrNtg5MModuhTb:Yo9y
Threatray 5'454 similar samples on MalwareBazaar
TLSH T1C9554FB094FB45E9E00FC9401AFCFEF411B671F3DCC60D6683ADA6045F6AAA47E4950A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CICU3023855.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 08:06:10 UTC
Tags:
trojan snake keylogger evasion
Link:
https://app.any.run/tasks/59af1674-be25-48d2-bdfd-98be67c1db2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/361257/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a browser
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63e20583447edb203a030593/reports/4abd5b4a-a49c-4592-9252-21e48d3b342f/overview
Verdict:
Malicious
Labled as:
MSIL.Bladabindi.Generic
Link:
https://www.hybrid-analysis.com/sample/f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0946951-0997-47c8-a85a-17097fd7d8e4
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167497
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800280 Sample: CICU3023855.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 7 other signatures 2->67 7 Ityxlyox.exe 2 2->7         started        10 CICU3023855.exe 1 5 2->10         started        13 Ityxlyox.exe 1 2->13         started        process3 file4 69 Antivirus detection for dropped file 7->69 71 Multi AV Scanner detection for dropped file 7->71 73 May check the online IP address of the machine 7->73 75 Machine Learning detection for dropped file 7->75 15 Ityxlyox.exe 7->15         started        19 powershell.exe 13 7->19         started        21 Ityxlyox.exe 7->21         started        39 C:\Users\user\AppData\...\Ityxlyox.exe, PE32 10->39 dropped 41 C:\Users\...\Ityxlyox.exe:Zone.Identifier, ASCII 10->41 dropped 43 C:\Users\user\AppData\...\CICU3023855.exe.log, ASCII 10->43 dropped 77 Encrypted powershell cmdline option found 10->77 79 Injects a PE file into a foreign processes 10->79 23 CICU3023855.exe 15 2 10->23         started        25 powershell.exe 16 10->25         started        27 Ityxlyox.exe 13->27         started        29 powershell.exe 13 13->29         started        31 Ityxlyox.exe 13->31         started        signatures5 process6 dnsIp7 45 checkip.dyndns.org 15->45 33 conhost.exe 19->33         started        47 checkip.dyndns.com 193.122.6.168, 49701, 49703, 80 ORACLE-BMC-31898US United States 23->47 49 checkip.dyndns.org 23->49 35 conhost.exe 25->35         started        51 193.122.130.0, 49704, 80 ORACLE-BMC-31898US United States 27->51 53 checkip.dyndns.org 27->53 55 Tries to steal Mail credentials (via file / registry access) 27->55 57 Tries to harvest and steal ftp login credentials 27->57 59 Tries to harvest and steal browser information (history, passwords, etc) 27->59 37 conhost.exe 29->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095/
Threat name:
ByteCode-MSIL.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 08:02:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yx7iofx7qqonkdnpefdtz3iwy44vv2ppaidkrd7q2yqfrt4ickq._file
Verdict:
malicious
Similar samples:
085046ececcff959420164dc9ff1f78b7d05abf01d4fe00e35933cf98a0698e5
SnakeKeylogger
0d1b2fea0d5ddb060f0354f282e7fcce69fc48b55e94195f01b1ed374cf4329e
SnakeKeylogger
72db9dc671957e0422ca5c00a29c69e4ac142beaaf887396ef955132cb0b7e32
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
d943f08a35dc06253557151dbff927a9eb4c26f425d328cf612cb7e5211c3822
SnakeKeylogger
dcff2f1adb183112521e7b484dc2fff1bf98316fcc38f4c06eb0e39c416fa3dc
SnakeKeylogger
e65c8404e4199df1515eba17f546cf27c15c2391bc40189ea2636869e9811f6f
SnakeKeylogger
f3db3dc608818127179558b89a34afcc2cf8d40fc809e84e96f1f6b904bbd40d
SnakeKeylogger
f7dc2d6bc60e4be7901e3c70558612f8838f7270c3616ef95c144f57df909cc9
SnakeKeylogger
+ 5'444 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230207-jw5sraad24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
b21c83b9831e52df1589accfea4144e868807d72d29a9fed65c90ec5f3c0b9d4
MD5 hash:
c826f3ea5267baf5357db8af21ed4b09
SHA1 hash:
93e09dd205d302725a053c6a47c178ec00082f18
Link:
https://www.unpac.me/results/32fc9822-bf3d-4ff4-991c-b08e2be78253/
SH256 hash:
d328a4269fb4da9f48e9f4dc9c9aa1be9f5eea60def935e37f6ded80aade9833
MD5 hash:
7fcfdb88dd510c2aeda9b16544939835
SHA1 hash:
74b38287d2179f337f6e58b59d7f33ff30e3a867
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/32fc9822-bf3d-4ff4-991c-b08e2be78253/
Parent samples :
f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095
c486c324dbf69dba15085f5020664872c2734a13e163477901b2bb57196fccf6
SH256 hash:
f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095
MD5 hash:
2512ee77a40f49585af39ac2e107b9e6
SHA1 hash:
37cb6175888164e47c5225d6229958f6b7a96232
Link:
https://www.unpac.me/results/32fc9822-bf3d-4ff4-991c-b08e2be78253/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f62ff438b7fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361257/

Comments